How to redirect user to another JSP page, In case of incorrect credentials

Question

I am creating a login form for a java web app. I have the user logging in with the correct password correct via a java servlet but I want to redirect the user to another JSP page if they enter the wrong password. My first idea is to create a try/catch statement. However, I receive blank pages when I attempt this. How can I ensure that the user knows when they have inputted the wrong password? Thanks

public class Loginn extends HttpServlet {

protected void processRequest(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
    response.setContentType("text/html;charset=UTF-8");
    try (PrintWriter out = response.getWriter()) {
        String name = request.getParameter("name");
        String pass = request.getParameter("pass");
        MyDb1 db = new MyDb1();
      Connection con = db.getCon();
      Statement stmt = con.createStatement();
     ResultSet rs = stmt.executeQuery("select uid,name,pass from register where email = '"+name+"' and  pass = '"+pass+"'");

     while ((rs.next())) {

        String uid = rs.getString("uid");

          HttpSession session=request.getSession();  
          session.setAttribute("name",uid);
          response.sendRedirect("http://localhost:8080/Final_Year_Project_5_/userprofile.jsp");  

} 


} catch (SQLException ex) {
        Logger.getLogger(Loginn.class.getName()).log(Level.SEVERE, null, ex);

    }

}

Answer 1

Try using if and else,

public class Loginn extends HttpServlet {

    protected void processRequest(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");
        try (PrintWriter out = response.getWriter()) {
            String name = request.getParameter("name");
            String pass = request.getParameter("pass");
            MyDb1 db = new MyDb1();
            Connection con = db.getCon();

            PreparedStatement ps = c.prepareStatement("select uid,name,pass from register where email = ? and  pass = ?");
            ps.setString(1, un);
            ps.setString(2, pw);

            ResultSet rs = ps.executeQuery();

            if (rs.next()) {

              String uid = rs.getString("uid");

              HttpSession session=request.getSession();  
              session.setAttribute("name", uid);


              response.sendRedirect("userprofile.jsp");  // No need to add whole URL unless this is in another Folder.
            } else {
              response.sendRedirect("error.jsp");
            }

    } catch (SQLException ex) {
            Logger.getLogger(Loginn.class.getName()).log(Level.SEVERE, null, ex);
    }

Answer 2

1. YOUR CODE IS A SECURITY LEAK. Imagine I put in the web form, in the pass field:

   whatever' OR TRUE;--
   

I'd log in (just put that string into your query and print it back out, look at what it would do...

You need to use PreparedStatement, replace all variables with question marks.

2. YOUR CODE HAS A MEMORY LEAK. Connection and Statement and ResultSets are all resources; they need explicit closing. Google around for how to use 'try-with-resources' in java.

JSPs are outdated technology, and your exception handling leaves the connection floating. I suggest doing: throw new ServletException(ex) instead, at least then you do the error handling in the right place (the servlet container).

The blank pages is probably due to how you handle exceptions (you log them and then do nothing, resulting in a blank page). Fix this and now you have an actual error you can look at.